Menu

Search for hundreds of thousands of exploits

"Winamp 5.63 - Invalid Pointer Dereference"

Author

Exploit author

"Julien Ahrens"

Platform

Exploit platform

windows

Release date

Exploit published date

2013-07-02

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
Inshell Security Advisory
http://www.inshell.net


1. ADVISORY INFORMATION
-----------------------
Product:        WinAmp
Vendor URL:     www.winamp.com
Type:           Pointer Issues [CWE-465]
Date found:     2013-06-05
Date published: 2013-07-01
CVSSv2 Score:   4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE:            CVE-2013-4695


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.


3. VERSIONS AFFECTED
--------------------
WinAmp v5.63, older versions may be affected too.


4. VULNERABILITY DESCRIPTION
----------------------------
An invalid pointer dereference vulnerability has been identified in
WinAmp v5.63.

The application loads the contents of the %APPDATA%\WinAmp\links.xml on
startup (the key lngId="default") and while browsing through the
bookmarks in the Browser view of the GUI, but does not properly validate
the length of the string loaded from the "<link name>" and "<home url>"
keys before using them in a pointer call in the library gen_ff.dll,
which leads to a invalid pointer dereference condition with possible
code execution.

An attacker needs to force the victim to place an arbitrary links.xml
file into the target directory in order to exploit the vulnerability.
Successful exploits can allow attackers to execute arbitrary code with
the privileges of the user running the application. Failed exploits will
result in a denial-of-service condition.


5. PROOF-OF-CONCEPT (DEBUG)
---------------------------
Registers:
EAX E85130FF
ECX 00430043 winamp.00430043
EDX 00D1F5B4
EBX 00000000
ESP 00D1F598
EBP 00D1F5C4
ESI 023D3170
EDI 7C80934A kernel32.GetTickCount
EIP 073D0EE1 gen_ff.073D0EE1
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDC000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Stackview:
ESP-20   > 00000000
ESP-1C   > 00000100
ESP-18   > 00C1F444
ESP-14   > 7C9215F9  ntdll.7C9215F9
ESP-10   > 7C9215F9  ntdll.7C9215F9
ESP-C    > 00385D58
ESP-8    > 00163700
ESP-4    > 7C9215F9  ntdll.7C9215F9
ESP ==>  > 000000BE
ESP+4    > 00D1F5B4
ESP+8    > 00D1F5A8
ESP+C    > 00000003
ESP+10   > 00D1F5C0
ESP+14   > 00D1F5BC
ESP+18   > 00D1F5B8
ESP+1C   > 00D1FF14
ESP+20   > 00000900

Vulnerable code part (<link name>):
.text:07363F47                 push    ebp
.text:07363F48                 mov     ebp, esp
.text:07363F4A                 push    ecx
.text:07363F4B                 push    1
.text:07363F4D                 lea     edx, [ebp+var_4]
.text:07363F50                 push    edx
.text:07363F51                 lea     eax, [ebp+arg_4]
.text:07363F54                 push    0
.text:07363F56                 push    [ebp+arg_0]
.text:07363F59                 mov     [ebp+var_4], eax
.text:07363F5C                 mov     eax, [ecx]
.text:07363F5E                 call    dword ptr [eax]
.text:07363F60                 leave
.text:07363F61                 retn    8

Vulnerable code part (<home url>):
.text:073620F8                 push    ebp
.text:073620F9                 mov     ebp, esp
.text:073620FB                 mov     eax, [ecx]
.text:073620FD                 push    0
.text:073620FF                 push    0
.text:07362101                 lea     edx, [ebp+arg_0]
.text:07362104                 push    edx
.text:07362105                 push    [ebp+arg_0]
.text:07362108                 call    dword ptr [eax]
.text:0736210A                 test    eax, eax
.text:0736210C                 mov     eax, [ebp+arg_0]
.text:0736210F                 jnz     short loc_7362114
.text:07362111                 mov     eax, [ebp+arg_4]
.text:07362114
.text:07362114 loc_7362114:                            ; CODE XREF:
sub_73620F8+17j
.text:07362114                 pop     ebp
.text:07362115                 retn    8


6. SOLUTION
-----------
Update to latest version v5.64 or newer.


7. REPORT TIMELINE
------------------
2013-06-05: Discovery of the vulnerability
2013-06-06: Vendor acknowledgement of the issue
2013-06-11: Vendor provides custom build that includes a fix
2013-06-12: The issue is still exploitable
2013-06-12: Provided another PoC to clarify the way to exploit
2013-06-13: Vendor provides custom build that includes a fix
2013-06-14: Confirmation that the issue is fixed
2013-06-19: Vendor releases v5.64 which includes the fix
2013-07-01: Coordinated Disclosure


8. REFERENCES
-------------
http://security.inshell.net
http://forums.winamp.com/showthread.php?t=364291
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-11-27 "Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF" webapps multiple "Julien Ahrens"
2019-05-14 "Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection" webapps php "Julien Ahrens"
2019-04-10 "Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution" webapps php "Julien Ahrens"
2017-12-26 "Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation" local windows "Julien Ahrens"
2017-10-18 "Check_MK 1.2.8p25 - Information Disclosure" webapps python "Julien Ahrens"
2017-10-13 "AlienVault Unified Security Management (USM) 5.4.2 - Cross-Site Request Forgery" webapps php "Julien Ahrens"
2016-11-22 "AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting" webapps java "Julien Ahrens"
2016-11-21 "Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal" webapps java "Julien Ahrens"
2016-07-13 "Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities" webapps xml "Julien Ahrens"
2016-05-23 "XenAPI 1.4.1 for XenForo - Multiple SQL Injections" webapps php "Julien Ahrens"
2016-02-23 "Ubiquiti Networks UniFi 3.2.10 - Cross-Site Request Forgery" webapps json "Julien Ahrens"
2014-06-01 "Easy File Management Web Server 5.3 - 'UserID' Remote Buffer Overflow (ROP)" remote windows "Julien Ahrens"
2014-03-17 "Free Download Manager - Stack Buffer Overflow" dos windows "Julien Ahrens"
2014-03-09 "GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution" remote windows "Julien Ahrens"
2014-02-20 "VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution" remote windows "Julien Ahrens"
2014-02-19 "VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Remote Stack Buffer Overflow" remote windows "Julien Ahrens"
2013-11-30 "Kingsoft Office Writer 2012 8.1.0.3385 - '.wps' Local Buffer Overflow (SEH)" local windows "Julien Ahrens"
2013-11-18 "Avira Secure Backup 1.0.0.1 Build 3616 - '.reg' Buffer Overflow" dos windows "Julien Ahrens"
2013-09-08 "Watchguard Server Center - Local Privilege Escalation" local windows "Julien Ahrens"
2013-07-02 "Winamp 5.63 - Invalid Pointer Dereference" dos windows "Julien Ahrens"
2013-07-02 "Winamp 5.63 - Stack Buffer Overflow" dos windows "Julien Ahrens"
2013-05-04 "ABBS Audio Media Player 3.1 - '.lst' Local Buffer Overflow" local windows "Julien Ahrens"
2013-03-22 "Photodex ProShow Gold/Producer 5.0.3310/6.0.3410 - 'ScsiAccess.exe' Local Privilege Escalation" local windows "Julien Ahrens"
2013-03-04 "HP Intelligent Management Center - 'topoContent.jsf' Cross-Site Scripting" webapps java "Julien Ahrens"
2013-02-23 "Photodex ProShow Producer - Multiple DLL Loading Arbitrary Code Execution Vulnerabilities" remote windows "Julien Ahrens"
2013-02-15 "Photodex ProShow Producer 5.0.3297 - '.pxs' Memory Corruption" local windows "Julien Ahrens"
2013-01-14 "Serva 2.0.0 - HTTP Server GET Remote Denial of Service" dos windows "Julien Ahrens"
2013-01-14 "Serva 2.0.0 - DNS Server QueryName Remote Denial of Service" dos windows "Julien Ahrens"
2012-11-20 "FormatFactory 3.0.1 - Profile File Handling Buffer Overflow" local windows "Julien Ahrens"
2012-11-12 "Zoner Photo Studio 15 Build 3 - 'Zps.exe' Registry Value Parsing" local windows "Julien Ahrens" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected